Microsoft risky activities
Risk detections overview
Risk detections in Microsoft Entra ID Protection include any identified suspicious actions related to user accounts in the directory. Risk detections (both user and sign-in linked) contribute to the overall user risk score that is found in the Risky Users report. ID Protection provides organizations access to powerful resources to see and respond quickly to these suspicious actions. ID Protection generates risk detections only when the correct credentials are used. If incorrect credentials are used on a sign-in, it does not represent risk of credential compromise.
NOTE These detections are only available to tenants with a Microsoft Entra ID P2 license. Please note that this license level is NOT required for a SaaS Alerts Tenant to properly generate regular events.
Risk types and detection
Risk can be detected at the User and Sign-in level and two types of detection or calculation Real-time and Offline. Access to all risks are considered premium and is available to Microsoft Entra ID P2 customers only. A few of these events are available to Free and Microsoft Entra ID P1 customers and is reflected in the UI in the organization connection modal.
Why is a user at risk?
A user becomes a risky user when:
- They have one or more risky sign-ins.
- There are one or more risks detected on the user’s account, like Leaked Credentials.
A sign-in risk represents the probability that a given authentication request isn't the authorized identity owner. Risky activity can be detected for a user that isn't linked to a specific malicious sign-in but to the user itself. Real-time detections may not show up in reporting for 5 to 10 minutes. Offline detections may not show up in reporting for 48 hours.
The Microsoft system may detect that the risk event that contributed to the risky user risk score was either:
- A false positive
- The user risk was remediated by policy by either:
- Completing multifactor authentication
- Secure password change
The Microsoft system will dismiss the risk state and a risk detail of “AI confirmed sign-in safe” will show and no longer contribute to the user’s overall risk.
Sign-in risk detections
| Risk detection | Detection type | Type |
| Atypical travel | Offline | Premium |
| Anomalous Token | Offline | Premium |
| Anomalous Token | Real-time or Offline | Premium |
| Malware linked IP address | Offline | Premium This detection has been deprecated. |
| Suspicious browser | Offline | Premium |
| Unfamiliar sign-in properties | Real-time | Premium |
| Malicious IP address | Offline | Premium |
| Suspicious inbox manipulation rules | Offline | Premium |
| Password spray | Offline | Premium |
| Impossible travel | Offline | Premium |
| New country | Offline | Premium |
| Activity from anonymous IP address | Offline | Premium |
| Suspicious inbox forwarding | Offline | Premium |
| Mass Access to Sensitive Files | Offline | Premium |
| Verified threat actor IP | Real-time | Premium |
| Additional risk detected | Real-time or Offline | Nonpremium |
| Anonymous IP address | Real-time | Nonpremium |
| Admin confirmed user compromised | Offline | Nonpremium |
| Microsoft Entra threat intelligence | Real-time or Offline | Nonpremium |
User risk detections
| Risk detection | Detection type | Type |
| Possible attempt to access Primary Refresh Token (PRT) | Offline | Premium |
| Anomalous user activity | Offline | Premium |
| User reported suspicious activity | Offline | Premium |
| Additional risk detected | Real-time or Offline | Nonpremium |
| Leaked credentials | Offline | Nonpremium |
| Microsoft Entra threat intelligence | Offline | Nonpremium |
